I noticed that GVM reports product CPE in a wrong format when it is a patch version.
For example, following is the CPE that GVM built for
OpenSSH Server 8.9p1:
cpe:/a:openbsd:openssh:8.9p1. The correct CPE should be
December 27, 2022, 2:59pm
You messing up Patch and Portable, there is OpenSSH 8.9 and OpenSSH 8.9p1 (Portable) that is
not a patch level.
Yeah. I’m very sorry for my misunderstanding. I searched the CPE in
NVD - Search (nist.gov) but could not find it, then I rushed to conclude that the CPE format is wrong. Now I can find information about OpenSSH Portable here: OpenSSH: Portable Release. Thank you for explaining.
January 10, 2023, 12:35pm
Strange enough it seems that the NVD had switched from using the “correct” CPE
cpe:/a:openbsd:openssh:4.4p1 to using
cpe:/a:openbsd:openssh:4.4:p1 like seen in e.g.:
@panajo1017 You might want to contact the NVD via https://www.nist.gov/about-nist/contact-us to get this corrected back so that the
p1 isn’t added to the
Update Component part of the CPE because
p1 is actually not an update / patch as we have now concluded.